-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nix daemon should use seccomp filtering #59
Comments
Hm, I guess seccomp isn't what you're looking for, because IMHO it is too restrictive in our case (as it only allows read, write, sigreturn and exit syscalls). If you really want to use seccomp for that to avoid chrooting, we might need to create a preload wrapper which passes every open, fork, exec, whatnot to some special master daemon which executes that action and hands down the FD over unix sockets. And this in turn leads to way more complexity around a feature which is not meant to be used like that. A better way would be to make use of an LSM to properly avoid running as root. Unfortunately the availability of the LSM varies depending on the distribution/kernel configuration. |
You're talking about the old seccomp. The new seccomp filtering feature in Linux 3.5 should allow (almost) arbitrary syscall filtering using BPF. See http://kernelnewbies.org/Linux_3.5/#head-c48d6a7a26b6aae95139358285eee012d6212b9e. |
Hm, my impression was that it does not allow syscalls beyond the scope of the currently active capabilities (like chroot)? |
It doesn't, but it should allow restricting a root process, e.g. disallowing file system access outside of /nix or setuid to non-nixbld users. |
Okay, as I'm already implementing seccomp BPF for steam (see aszlig/nixpkgs@49d6a8b, I'm assigning this issue to me, as I'm on my way in making this generic. Correction: I would have assigned this to me :-) |
Closing this, we're already using seccomp. |
…ffer Read offset buffer when rewriting modulo sink
The Nix daemon runs as root because it needs to do privileged operations like starting a builder under a different uid. This is bad because it presents a fairly big attack surface. We should investigate seccomp filtering for restricting what the daemon can do (e.g. only modify files in the Nix store, change uid to nixbld-*, and so on).
(There is nix-setuid-helper, but it's not currently used because it doesn't support things like chroot builds. And setuid programs are evil.)
The text was updated successfully, but these errors were encountered: